You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 

694 lines
36 KiB

  1. #!/bin/bash
  2. # By Brielle Bruns <bruns@2mbit.com>
  3. # URL: http://www.sosdg.org/freestuff/firewall
  4. # License: GPLv3
  5. #
  6. # Copyright (C) 2009 - 2014 Brielle Bruns
  7. # Copyright (C) 2009 - 2014 The Summit Open Source Development Group
  8. #
  9. # This program is free software: you can redistribute it and/or modify
  10. # it under the terms of the GNU General Public License as published by
  11. # the Free Software Foundation, either version 3 of the License, or
  12. # (at your option) any later version.
  13. #
  14. # This program is distributed in the hope that it will be useful,
  15. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  16. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  17. # GNU General Public License for more details.
  18. # You should have received a copy of the GNU General Public License
  19. # along with this program. If not, see <http://www.gnu.org/licenses/>.
  20. # iptables_rules_flush (ipv6|ipv4)
  21. # Clear all rules from iptables - be very careful in how this is called as it
  22. # could easily lock out the user from the network. Best way to be safe, is to
  23. # call iptables_policy_reset first then this function.
  24. function iptables_rules_flush {
  25. IP_VERSION=$1
  26. case $IP_VERSION in
  27. ipv6) VER_IPTABLES=${IP6TABLES} ; TABLE_NAMES=/proc/net/ip6_tables_names ;;
  28. ipv4|*) VER_IPTABLES=${IPTABLES} ; TABLE_NAMES=/proc/net/ip_tables_names ;;
  29. esac
  30. ${display} GREEN "Flushing ${IP_VERSION} rules..."
  31. ${VER_IPTABLES} -P INPUT ACCEPT &>/dev/null
  32. ${VER_IPTABLES} -P OUTPUT ACCEPT &>/dev/null
  33. ${VER_IPTABLES} -P FORWARD ACCEPT &>/dev/null
  34. ${VER_IPTABLES} -F &>/dev/null
  35. ${VER_IPTABLES} -X &>/dev/null
  36. ${VER_IPTABLES} -F INPUT &>/dev/null
  37. ${VER_IPTABLES} -F OUTPUT &>/dev/null
  38. ${VER_IPTABLES} -F FORWARD &>/dev/null
  39. ${VER_IPTABLES} -t nat -F &>/dev/null
  40. ${VER_IPTABLES} -t nat -X &>/dev/null
  41. ${VER_IPTABLES} -t mangle -F &>/dev/null
  42. ${VER_IPTABLES} -t mangle -X &>/dev/null
  43. ${VER_IPTABLES} -t raw -F &>/dev/null
  44. ${VER_IPTABLES} -t raw -X &>/dev/null
  45. for i in `cat $TABLE_NAMES`; do
  46. ${VER_IPTABLES} -F -t $i &>/dev/null
  47. done
  48. }
  49. # iptables_policy_set (ipv6|ipv4) (ACCEPT|DROP)
  50. # Sets all policy rules to either ACCEPT or DROP for ipv4 or ipv6
  51. # If no policy given, assume ACCEPT
  52. function default_policy_set {
  53. IP_VERSION=$1
  54. INPOLICY=${2=ACCEPT}
  55. OUTPOLICY=${3=ACCEPT}
  56. FWDPOLICY=${4=ACCEPT}
  57. case $IP_VERSION in
  58. ipv6) VER_IPTABLES=${IP6TABLES} ;;
  59. ipv4|*) VER_IPTABLES=${IPTABLES} ;;
  60. esac
  61. ${display} RED "Setting ${IP_VERSION} policies to INPUT:${INPOLICY} OUTPUT:${OUTPOLICY} FORWARD:${FWDPOLICY}..."
  62. ${VER_IPTABLES} --policy INPUT ${INPOLICY}
  63. ${VER_IPTABLES} --policy OUTPUT ${OUTPOLICY}
  64. ${VER_IPTABLES} --policy FORWARD ${FWDPOLICY}
  65. }
  66. # setup_iptables_chains (ipv4|ipv6)
  67. # Creates the default chains when called
  68. function setup_iptables_chains {
  69. IP_VERSION=$1
  70. case $IP_VERSION in
  71. ipv6) VER_IPTABLES=${IP6TABLES};
  72. IPVER="6" ;;
  73. ipv4|*) VER_IPTABLES=${IPTABLES}
  74. IPVER="4" ;;
  75. esac
  76. # Create the actual chains
  77. ${display} GREEN "Setting up chains for ${IP_VERSION}..."
  78. ${VER_IPTABLES} -N ${InPreRules}
  79. ${VER_IPTABLES} -N ${OutPreRules}
  80. ${VER_IPTABLES} -N ${InEasyBlock}
  81. ${VER_IPTABLES} -N ${OutEasyBlock}
  82. ${VER_IPTABLES} -N ${InFilter}
  83. ${VER_IPTABLES} -N ${OutFilter}
  84. ${VER_IPTABLES} -N ${FwdFilter}
  85. ([[ ${IPVER} == "4" ]] && [[ ${Enablev4NAT} == "yes" ]]) && ${VER_IPTABLES} -N ${NAT} -t nat
  86. ([[ ${IPVER} == "6" ]] && [[ ${Enablev6NAT} == "yes" ]]) && ${VER_IPTABLES} -N ${NAT} -t nat
  87. ([[ ${IPVER} == "4" ]] && [[ ${Enablev4NAT} == "yes" ]]) && ${VER_IPTABLES} -N ${PortForward} -t nat
  88. ([[ ${IPVER} == "6" ]] && [[ ${Enablev6NAT} == "yes" ]]) && ${VER_IPTABLES} -N ${PortForward} -t nat
  89. [[ ${IPVER} == "6" ]] && ${VER_IPTABLES} -N ${v6ICMP}
  90. ${VER_IPTABLES} -N ${InPostRules}
  91. ${VER_IPTABLES} -N ${OutPostRules}
  92. # Set up rules - the order matters - we do it separately here
  93. # for easy viewing of order
  94. if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/prerun.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/prerun.sh; fi
  95. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up InPreRules"
  96. ${VER_IPTABLES} -A INPUT -j ${InPreRules}
  97. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up OutPreRules"
  98. ${VER_IPTABLES} -A OUTPUT -j ${OutPreRules}
  99. if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/easyblock.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/easyblock.sh; fi
  100. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up InEasyBlock"
  101. ${VER_IPTABLES} -A INPUT -j ${InEasyBlock}
  102. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up OutEasyBlock"
  103. ${VER_IPTABLES} -A OUTPUT -j ${OutEasyBlock}
  104. if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/filter.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/filter.sh; fi
  105. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up InFilter"
  106. ${VER_IPTABLES} -A INPUT -j ${InFilter}
  107. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up OutFilter"
  108. ${VER_IPTABLES} -A OUTPUT -j ${OutFilter}
  109. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up FwdFilter"
  110. ${VER_IPTABLES} -A FORWARD -j ${FwdFilter}
  111. if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/nat.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/nat.sh; fi
  112. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up NAT"
  113. ([[ ${IPVER} == "4" ]] && [[ ${Enablev4NAT} == "yes" ]]) && ${VER_IPTABLES} -A POSTROUTING -t nat -j ${NAT}
  114. ([[ ${IPVER} == "6" ]] && [[ ${Enablev6NAT} == "yes" ]]) && ${VER_IPTABLES} -A POSTROUTING -t nat -j ${NAT}
  115. if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/portfw.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/portfw.sh; fi
  116. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up PortForward"
  117. ([[ ${IPVER} == "4" ]] && [[ ${Enablev4NAT} == "yes" ]]) && ${VER_IPTABLES} -A PREROUTING -t nat -j ${PortForward}
  118. ([[ ${IPVER} == "6" ]] && [[ ${Enablev6NAT} == "yes" ]]) && ${VER_IPTABLES} -A PREROUTING -t nat -j ${PortForward}
  119. if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/postrun.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/postrun.sh; fi
  120. [[ ${IPVER} == "6" ]] && ${VER_IPTABLES} -A INPUT -j ${v6ICMP}
  121. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up InPostRules"
  122. ${VER_IPTABLES} -A INPUT -j ${InPostRules}
  123. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Setting up OutPostRules"
  124. ${VER_IPTABLES} -A OUTPUT -j ${OutPostRules}
  125. }
  126. function allow_all_loopback {
  127. IP_VERSION=$1
  128. case $IP_VERSION in
  129. ipv6) VER_IPTABLES=${IP6TABLES};
  130. IPVER="6" ;;
  131. ipv4|*) VER_IPTABLES=${IPTABLES}
  132. IPVER="4" ;;
  133. esac
  134. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loaded"
  135. ${VER_IPTABLES} -A ${InPreRules} -i lo -j ACCEPT
  136. ${VER_IPTABLES} -A ${OutPreRules} -o lo -j ACCEPT
  137. }
  138. function allow_trusted_hosts {
  139. IP_VERSION=$1
  140. case $IP_VERSION in
  141. ipv6) VER_IPTABLES=${IP6TABLES};
  142. IPVER="6" ;;
  143. ipv4|*) VER_IPTABLES=${IPTABLES}
  144. IPVER="4" ;;
  145. esac
  146. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  147. if [ -e "${FWCONFIGDIR}/ipv${IPVER}/trusted.conf" ]; then
  148. for i in `grep -v "\#" "${FWCONFIGDIR}/ipv${IPVER}/trusted.conf"`; do
  149. ${VER_IPTABLES} -A ${InPreRules} -s $i -j ACCEPT
  150. ${VER_IPTABLES} -A ${OutPreRules} -d $i -j ACCEPT
  151. done
  152. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  153. else
  154. ${display} RED "File Missing: ${FWCONFIGDIR}/ipv${IPVER}/trusted.conf"
  155. ${display} RED "Error: can not load trusted hosts file."
  156. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} failed"
  157. fi
  158. }
  159. function enable_mss_clamp {
  160. IP_VERSION=$1
  161. case $IP_VERSION in
  162. ipv6) VER_IPTABLES=${IP6TABLES};
  163. IPVER="6" ;;
  164. ipv4|*) VER_IPTABLES=${IPTABLES}
  165. IPVER="4" ;;
  166. esac
  167. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  168. if [ -e "${FWCONFIGDIR}/ipv${IPVER}/mss-clamp.conf" ]; then
  169. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/mss-clamp.conf successful"
  170. while read -r interface mss type msssize; do
  171. [[ ${interface} = \#* ]] && continue
  172. [[ ${interface} = "" ]] && continue
  173. [[ ${interface} == "all" ]] && isallinterfaces="yes"
  174. #[[ -z ${mss} ]] && mss="-"
  175. [[ ${mss} != "-" ]] && mss="-m tcpmss --mss ${mss}"
  176. [[ ${mss} == "-" ]] && mss=""
  177. [[ -z ${type} ]] && type="-"
  178. [[ ${type} == "-" ]] && type="out"
  179. [[ ${type} == "out" ]] && type="${OutFilter}"
  180. [[ ${type} == "fwd" ]] && type="${FwdFilter}"
  181. [[ -z ${msssize} ]] && msssize="-"
  182. [[ ${msssize} != "-" ]] && msssize="--set-mss ${msssize}"
  183. [[ ${msssize} == "-" ]] && msssize="--clamp-mss-to-pmtu"
  184. #[[ ${interface} != "all" ]] && interface="-o ${interface}"
  185. [[ ${type} == "${OutFilter}" ]] && interface="-o ${interface}"
  186. [[ ${type} == "${FwdFilter}" ]] && interface="-o ${interface}"
  187. [[ ${isallinterfaces} == "yes" ]] && interface=""
  188. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Read: ${interface} ${mss} ${type} ${msssize}"
  189. ${VER_IPTABLES} -A ${type} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
  190. ${interface} ${mss} ${msssize}
  191. unset interface mss type msssize isallinterfaces
  192. done < "${FWCONFIGDIR}/ipv${IPVER}/mss-clamp.conf"
  193. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  194. else
  195. ${display} RED "File Missing: ${FWCONFIGDIR}/ipv${IPVER}/mss-clamp.conf"
  196. ${display} RED "Error: can not load mss clamp file."
  197. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} failed"
  198. fi
  199. }
  200. function allow_resolvconf_servers {
  201. IP_VERSION=$1
  202. case $IP_VERSION in
  203. ipv6) VER_IPTABLES=${IP6TABLES};
  204. IPVER="6" ;;
  205. ipv4|*) VER_IPTABLES=${IPTABLES}
  206. IPVER="4" ;;
  207. esac
  208. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  209. [[ ${IP_VERSION} == "ipv4" ]] && ResolvConfFile="${ResolvConfv4File}"
  210. [[ ${IP_VERSION} == "ipv6" ]] && ResolvConfFile="${ResolvConfv6File}"
  211. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Using ${ResolvConfFile} as resolv.conf"
  212. while read -r type server; do
  213. [[ ${type} != "nameserver" ]] && continue
  214. [[ ${type} = "" ]] && continue
  215. ([[ ${server} =~ ":" ]] && [[ ${IP_VERSION} = "ipv4" ]]) && continue
  216. ([[ ! ${server} =~ ":" ]] && [[ ${IP_VERSION} = "ipv6" ]]) && continue
  217. use_conntrack="no"
  218. ([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) && use_conntrack="yes"
  219. ([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) && use_conntrack="yes"
  220. if [[ ${use_conntrack} == "yes" ]]; then
  221. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Added ${server} to conntrack list for DNS traffic"
  222. ${VER_IPTABLES} -A ${OutPreRules} -p udp -d ${server} --dport 53 ${M_STATE} ${C_STATE} NEW,ESTABLISHED -j ACCEPT
  223. ${VER_IPTABLES} -A ${InPreRules} -p udp -s ${server} --sport 53 ${M_STATE} ${C_STATE} ESTABLISHED,RELATED -j ACCEPT
  224. else
  225. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Added ${server} to DNS client trusted list"
  226. ${VER_IPTABLES} -A ${OutPreRules} -p udp -s ${server} --sport 1024:65535 --dport 53 -j ACCEPT
  227. ${VER_IPTABLES} -A ${InPreRules} -p udp -d ${server} --dport 1024:65535 --sport 53 -j ACCEPT
  228. #${VER_IPTABLES} -A ${OutPreRules} -p tcp -s ${server} --sport 1024:65535 --dport 53 -j ACCEPT
  229. #${VER_IPTABLES} -A ${InPreRules} -p tcp -d ${server} --dport 1024:65535 --sport 53 -j ACCEPT
  230. fi
  231. done < "${ResolvConfFile}"
  232. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  233. }
  234. function allow_dnsclient_manual {
  235. IP_VERSION=$1
  236. case $IP_VERSION in
  237. ipv6) VER_IPTABLES=${IP6TABLES};
  238. IPVER="6" ;;
  239. ipv4|*) VER_IPTABLES=${IPTABLES}
  240. IPVER="4" ;;
  241. esac
  242. DNS_SERVERS="$2"
  243. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  244. use_conntrack="no"
  245. ([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) && use_conntrack="yes"
  246. ([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) && use_conntrack="yes"
  247. for i in ${DNS_SERVERS}; do
  248. if [[ ${use_conntrack} == "yes" ]]; then
  249. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Added ${server} to conntrack list for DNS traffic"
  250. ${VER_IPTABLES} -A ${OutPreRules} -p udp -d ${i} --dport 53 ${M_STATE} ${C_STATE} NEW,ESTABLISHED -j ACCEPT
  251. ${VER_IPTABLES} -A ${InPreRules} -p udp -s ${i} --sport 53 ${M_STATE} ${C_STATE} ESTABLISHED,RELATED -j ACCEPT
  252. else
  253. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Added ${i} to DNS client trusted list"
  254. ${VER_IPTABLES} -A ${OutPreRules} -p udp -s ${i} --sport 1024:65535 --dport 53 -j ACCEPT
  255. ${VER_IPTABLES} -A ${InPreRules} -p udp -d ${i} --dport 1024:65535 --sport 53 -j ACCEPT
  256. #${VER_IPTABLES} -A ${OutPreRules} -p tcp -s ${i} --sport 1024:65535 --dport 53 -j ACCEPT
  257. #${VER_IPTABLES} -A ${InPreRules} -p tcp -d ${i} --dport 1024:65535 --sport 53 -j ACCEPT
  258. fi
  259. done
  260. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  261. }
  262. function enable_easyblock {
  263. IP_VERSION=$1
  264. case $IP_VERSION in
  265. ipv6) VER_IPTABLES=${IP6TABLES};
  266. IPVER="6" ;;
  267. ipv4|*) VER_IPTABLES=${IPTABLES}
  268. IPVER="4" ;;
  269. esac
  270. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  271. if [ -e "${FWCONFIGDIR}/ipv${IPVER}/easyblock.conf" ]; then
  272. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/easyblock.conf successful"
  273. while read -r direction interface address port protocol; do
  274. [[ ${direction} = \#* ]] && continue
  275. [[ ${direction} = "" ]] && continue
  276. ([[ ${direction} != "IN" ]] && [[ ${direction} != "OUT" ]]) \
  277. && ${display} RED "easyblock.conf: Error - must begin with IN/OUT: ${DEFAULT_COLOR}${direction} ${interface} ${address} ${port} ${protocol}" && continue
  278. # Do some creative work with variables to make building the iptables rules fairly painless
  279. [[ ${port} != "-" ]] && port="--dport ${port}"
  280. ([[ ${address} != "-" ]] && [[ ${direction} == "IN" ]]) && address="-s ${address}"
  281. ([[ ${address} != "-" ]] && [[ ${direction} == "OUT" ]]) && address="-d ${address}"
  282. ([[ ${interface} != "-" ]] && [[ ${direction} == "IN" ]]) && interface="-i ${interface}"
  283. ([[ ${interface} != "-" ]] && [[ ${direction} == "OUT" ]]) && interface="-o ${interface}"
  284. [[ ${direction} == "OUT" ]] && chain="${OutEasyBlock}"
  285. [[ ${direction} == "IN" ]] && chain="${InEasyBlock}"
  286. [[ ${protocol} != "-" ]] && protocol="-p ${protocol}"
  287. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Read: ${direction} ${interface} ${address} ${port} ${protocol}"
  288. # Blank variables that we're not going to use.
  289. [[ ${interface} == "-" ]] && interface=""
  290. [[ ${port} == "-" ]] && port=""
  291. [[ ${address} == "-" ]] && address=""
  292. [[ ${protocol} == "-" ]] && protocol=""
  293. ${VER_IPTABLES} -A ${chain} ${interface} ${address} ${protocol} ${port} -j DROP
  294. done < "${FWCONFIGDIR}/ipv${IPVER}/easyblock.conf"
  295. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  296. fi
  297. }
  298. function enable_filtering {
  299. IP_VERSION=$1
  300. case $IP_VERSION in
  301. ipv6) VER_IPTABLES=${IP6TABLES};
  302. IPVER="6" ;;
  303. ipv4|*) VER_IPTABLES=${IPTABLES}
  304. IPVER="4" ;;
  305. esac
  306. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  307. if [ -e "${FWCONFIGDIR}/ipv${IPVER}/acl.conf" ]; then
  308. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/acl.conf successful"
  309. while read -r direction action interface srcaddress srcport dstaddress dstport protocol syn state custom; do
  310. [[ ${direction} = \#* ]] && continue
  311. [[ ${direction} = "" ]] && continue
  312. ([[ ${direction} != "IN" ]] && [[ ${direction} != "OUT" ]]) \
  313. && ${display} RED "acl.conf: Error - must begin with IN/OUT: ${DEFAULT_COLOR}${direction} ${action} ${interface} ${srcaddress} ${srcport} ${dstaddress} ${dstport} ${protocol} ${syn} ${state}" && continue
  314. ([[ ${action} != "ACCEPT" ]] && [[ ${action} != "DROP" ]] && [[ ${action} != "REJECT" ]]) \
  315. && ${display} RED "acl.conf: Error - action must be either ACCEPT, DROP, or REJECT : ${DEFAULT_COLOR}${direction} ${action} ${interface} ${srcaddress} ${srcport} ${dstaddress} ${dstport} ${protocol} ${syn} ${state}" && continue
  316. # Do some creative work with variables to make building the iptables rules fairly painless
  317. [[ -z ${state} ]] && state="-"
  318. ([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]] && [[ ! ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ${state}"
  319. ([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]] && [[ ! ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ${state}"
  320. #[[ ${dstport} != "-" ]] && dstport="--dport ${dstport}"
  321. #[[ ${srcport} != "-" ]] && srcport="--sport ${srcport}"
  322. [[ ${srcaddress} != "-" ]] && srcaddress="-s ${srcaddress}"
  323. [[ ${dstaddress} != "-" ]] && dstaddress="-d ${dstaddress}"
  324. ([[ ${interface} != "-" ]] && [[ ${direction} == "IN" ]]) && interface="-i ${interface}"
  325. ([[ ${interface} != "-" ]] && [[ ${direction} == "OUT" ]]) && interface="-o ${interface}"
  326. [[ ${direction} == "OUT" ]] && chain="${OutFilter}"
  327. [[ ${direction} == "IN" ]] && chain="${InFilter}"
  328. [[ ${protocol} != "-" ]] && protocol="-p ${protocol}"
  329. [[ ${action} == "REJECT" ]] && action="REJECT --reject-with tcp-reset"
  330. [[ ${syn} == "syn" ]] && syn="--syn"
  331. [[ ${syn} == "notsyn" ]] && syn="! --syn"
  332. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR}${direction} ${action} ${interface} ${srcaddress} ${srcport} ${dstaddress} ${dstport} ${protocol} ${syn} ${custom}"
  333. dstmultiport="no"
  334. srcmultiport="no"
  335. ([[ ${dstport} != "-" ]] && [[ ${dstport} =~ (-|:|,) ]]) && dstmultiport="yes"
  336. ([[ ${srcport} != "-" ]] && [[ ${srcport} =~ (-|:|,) ]]) && srcmultiport="yes"
  337. ([[ ${dstport} != "-" ]] && [[ ${dstmultiport} != "yes" ]]) && dstport="--dport ${dstport}"
  338. ([[ ${srcport} != "-" ]] && [[ ${srcmultiport} != "yes" ]]) && srcport="--dport ${srcport}"
  339. ([[ ${dstport} != "-" ]] && [[ ${dstmultiport} == "yes" ]]) && dstport="-m multiport --dports ${dstport}"
  340. ([[ ${srcport} != "-" ]] && [[ ${srcmultiport} == "yes" ]]) && srcport="-m multiport --sports ${srcport}"
  341. # Blank variables that we're not going to use.
  342. [[ ${interface} == "-" ]] && interface=""
  343. [[ ${dstport} == "-" ]] && dstport=""
  344. [[ ${srcport} == "-" ]] && srcport=""
  345. [[ ${dstaddress} == "-" ]] && dstaddress=""
  346. [[ ${srcaddress} == "-" ]] && srcaddress=""
  347. [[ ${protocol} == "-" ]] && protocol=""
  348. [[ ${syn} == "-" ]] && syn=""
  349. [[ ${custom} == "-" ]] && custom=""
  350. ${VER_IPTABLES} -A ${chain} ${interface} ${protocol} ${srcaddress} ${srcport} ${syn} ${dstaddress} ${dstport} ${conntrack_state} ${custom} -j ${action}
  351. unset direction action interface srcaddress srcport dstaddress dstport protocol syn state custom conntrack_state
  352. done < "${FWCONFIGDIR}/ipv${IPVER}/acl.conf"
  353. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  354. fi
  355. }
  356. function enable_forwarding {
  357. IP_VERSION=$1
  358. case $IP_VERSION in
  359. ipv6) VER_IPTABLES=${IP6TABLES};
  360. IPVER="6" ;;
  361. ipv4|*) VER_IPTABLES=${IPTABLES}
  362. IPVER="4" ;;
  363. esac
  364. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  365. if [ -e "${FWCONFIGDIR}/ipv${IPVER}/forward.conf" ]; then
  366. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/forward.conf successful"
  367. while read -r action srcinterface srcaddress dstinterface dstaddress bidirectional srcport dstport protocol syn state custom; do
  368. unset conntrack_state conntrack_udp_new revsrcaddress revdstaddress revdstinterface revsrcinterface revsrcport revdstport
  369. [[ ${action} = \#* ]] && continue
  370. [[ -z ${action} ]] && continue
  371. ([[ ${action} != "ACCEPT" ]] && [[ ${action} != "DROP" ]]) \
  372. && ${display} RED "forward.conf: Error - action must be either ACCEPT or DROP : ${DEFAULT_COLOR}${action} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress} ${bidirectional} ${srcport} ${dstport} ${protocol} ${syn} ${state}" && continue
  373. # Do some creative work with variables to make building the iptables rules fairly painless
  374. # Although these next few rules seems like they duplicate some work, they
  375. # actually make handling later rules simpler even if we end up blanking
  376. # them yet again.
  377. [[ -z ${dstport} ]] && dstport="-"
  378. [[ -z ${srcport} ]] && srcport="-"
  379. [[ -z ${protocol} ]] && protocol="-"
  380. [[ -z ${syn} ]] && syn="-"
  381. [[ -z ${state} ]] && state="-"
  382. #([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]] && [[ ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ESTABLISHED,RELATED"
  383. #([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]] && [[ ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ESTABLISHED,RELATED"
  384. ([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]] && [[ ! ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ${state}"
  385. ([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]] && [[ ! ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ${state}"
  386. ([[ ${bidirectional} == "yes" ]] && [[ ${srcaddress} != "-" ]]) && revsrcaddress="-d ${srcaddress}"
  387. ([[ ${bidirectional} == "yes" ]] && [[ ${dstaddress} != "-" ]]) && revdstaddress="-s ${dstaddress}"
  388. ([[ ${bidirectional} == "yes" ]] && [[ ${dstinterface} != "-" ]]) && revdstinterface="-i ${dstinterface}"
  389. ([[ ${bidirectional} == "yes" ]] && [[ ${srcinterface} != "-" ]]) && revsrcinterface="-o ${srcinterface}"
  390. [[ ${srcaddress} != "-" ]] && srcaddress="-s ${srcaddress}"
  391. [[ ${dstaddress} != "-" ]] && dstaddress="-d ${dstaddress}"
  392. [[ ${srcinterface} != "-" ]] && srcinterface="-i ${srcinterface}"
  393. [[ ${dstinterface} != "-" ]] && dstinterface="-o ${dstinterface}"
  394. ([[ ${syn} == "syn" ]] && [[ ! -z ${conntrack_state} ]]) && conntrack_udp_new=",NEW"
  395. ([[ ${syn} == "syn" ]] && [[ ${protocol} == "udp" ]]) && syn="-"
  396. [[ ${syn} == "syn" ]] && syn="--syn"
  397. [[ ${syn} == "notsyn" ]] && syn="! --syn"
  398. dstmultiport="no"
  399. srcmultiport="no"
  400. ([[ ${dstport} != "-" ]] && [[ ${dstport} =~ (-|:|,) ]]) && dstmultiport="yes"
  401. ([[ ${srcport} != "-" ]] && [[ ${srcport} =~ (-|:|,) ]]) && srcmultiport="yes"
  402. ([[ ${dstport} != "-" ]] && [[ ${dstmultiport} != "yes" ]]) && dstport="--dport ${dstport}"
  403. ([[ ${srcport} != "-" ]] && [[ ${srcmultiport} != "yes" ]]) && srcport="--sport ${srcport}"
  404. ([[ ${dstport} != "-" ]] && [[ ${dstmultiport} == "yes" ]]) && dstport="-m multiport --dports ${dstport}"
  405. ([[ ${srcport} != "-" ]] && [[ ${srcmultiport} == "yes" ]]) && srcport="-m multiport --sports ${srcport}"
  406. ([[ ${bidirectional} == "yes" ]] && [[ ${srcport} != "-" ]]) && revsrcport=${srcport/sport/dport}
  407. ([[ ${bidirectional} == "yes" ]] && [[ ${dstport} != "-" ]]) && revdstport=${dstport/dport/sport}
  408. #[[ ${dstport} != "-" ]] && dstport="--dport ${dstport}"
  409. #[[ ${srcport} != "-" ]] && srcport="--sport ${srcport}"
  410. #([[ ${bidirectional} == "yes" ]] && [[ ${srcport} != "-" ]]) && revsrcport="--dport ${srcport}"
  411. #([[ ${bidirectional} == "yes" ]] && [[ ${dstport} != "-" ]]) && revdstport="--sport ${dstport}"
  412. [[ ${protocol} != "-" ]] && protocol="-p ${protocol}"
  413. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR}${action} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress} ${bidirectional} ${srcport} ${dstport} ${protocol} ${syn} ${state}"
  414. # Blank variables that we're not going to use.
  415. [[ ${srcinterface} == "-" ]] && srcinterface=""
  416. [[ ${dstinterface} == "-" ]] && dstinterface=""
  417. [[ ${dstaddress} == "-" ]] && dstaddress=""
  418. [[ ${srcaddress} == "-" ]] && srcaddress=""
  419. [[ ${dstport} == "-" ]] && dstport=""
  420. [[ ${srcport} == "-" ]] && srcport=""
  421. [[ ${syn} == "-" ]] && syn=""
  422. [[ ${state} == "-" ]] && state=""
  423. [[ ${protocol} == "-" ]] && protocol=""
  424. [[ ${bidirectional} == "-" ]] && bidirectional="no"
  425. [[ ${custom} == "-" ]] && custom=""
  426. ${VER_IPTABLES} -A ${FwdFilter} ${protocol} ${srcinterface} ${srcaddress} ${srcport} ${syn} ${dstinterface} ${dstaddress} ${dstport} ${conntrack_state} ${custom} -j ${action}
  427. [[ ${bidirectional} == "yes" ]] && ${VER_IPTABLES} -A ${FwdFilter} ${protocol} ${revsrcinterface} ${revsrcaddress} ${revsrcport} ${syn} ${revdstinterface} ${revdstaddress} ${revdstport} ${conntrack_state} ${custom} -j ${action}
  428. unset action srcinterface srcaddress dstinterface dstaddress bidirectional srcport dstport protocol syn state custom conntrack_state
  429. done < "${FWCONFIGDIR}/ipv${IPVER}/forward.conf"
  430. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  431. fi
  432. }
  433. function enable_nat {
  434. IP_VERSION=$1
  435. case $IP_VERSION in
  436. ipv6) VER_IPTABLES=${IP6TABLES};
  437. IPVER="6" ;;
  438. ipv4|*) VER_IPTABLES=${IPTABLES}
  439. IPVER="4" ;;
  440. esac
  441. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  442. ([[ ${IPVER} == "4" ]] && [[ ${Enablev4ConnectionTracking} != "yes" ]]) && ${display} RED "${FUNCNAME}: ERROR:${DEFAULT_COLOR} Unable to load NAT rules if Enablev4ConnectionTracking=no" && return 1
  443. ([[ ${IPVER} == "6" ]] && [[ ${Enablev6ConnectionTracking} != "yes" ]]) && ${display} RED "${FUNCNAME}: ERROR:${DEFAULT_COLOR} Unable to load NAT rules if Enablev6ConnectionTracking=no" && return 1
  444. if [ -e "${FWCONFIGDIR}/ipv${IPVER}/nat.conf" ]; then
  445. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/nat.conf successful"
  446. ORIG_NAT=${NAT}
  447. while read -r type srcinterface srcaddress dstinterface dstaddress custom; do
  448. NAT=${ORIG_NAT}
  449. [[ ${type} = \#* ]] && continue
  450. [[ ${type} = "" ]] && continue
  451. ([[ ${type} != "SNAT" ]] && [[ ${type} != "MASQ" ]] && [[ ${type} != "NETMAP" ]] && [[ ${type} != "ACCEPT" ]]) \
  452. && ${display} RED "nat.conf: Error - must begin with SNAT/MASQ/NETMAP/ACCEPT: ${DEFAULT_COLOR}${type} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress} ${custom}" && continue
  453. # Do some creative work with variables to make building the iptables rules fairly painless
  454. #[[ ${srcaddress} != "-" ]] && revsrcaddress="-d ${srcaddress}"
  455. #[[ ${dstinterface} != "-" ]] && revdstinterface="-i ${dstinterface}"
  456. #[[ ${srcinterface} != "-" ]] && revsrcinterface="-o ${srcinterface}"
  457. #[[ ${srcinterface} != "-" ]] && srcinterface="-i ${srcinterface}"
  458. [[ ${dstinterface} != "-" ]] && dstinterface="-o ${dstinterface}"
  459. [[ ${srcaddress} != "-" ]] && srcaddress="-s ${srcaddress}"
  460. ([[ ${srcinterface} != "-" ]] && [[ ${type} == "SNAT" ]]) && srcinterface="-"
  461. ([[ ${dstinterface} != "-" ]] && [[ ${type} == "MASQ" ]]) && action="-j MASQUERADE"
  462. ([[ ${dstinterface} == "-" ]] && [[ ${type} == "MASQ" ]]) && \
  463. ${display} RED "nat.conf: Error - MASQ rule can not have empty destination interface: ${DEFAULT_COLOR}${type} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress}" \
  464. && continue
  465. ([[ ${dstaddress} != "-" ]] && [[ ${type} == "ACCEPT" ]]) && action="-j ACCEPT" && dstaddress="-d ${dstaddress}"
  466. ([[ ${dstaddress} != "-" ]] && [[ ${type} == "SNAT" ]]) && action="-j SNAT" && dstaddress="--to-source ${dstaddress}"
  467. ([[ ${dstaddress} == "-" ]] && [[ ${type} == "SNAT" ]]) && \
  468. ${display} RED "nat.conf: Error - SNAT rule can not have empty destination address: ${DEFAULT_COLOR}${type} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress}" \
  469. && continue
  470. [[ ${type} == "NETMAP" ]] && action="-j NETMAP"
  471. ([[ ${custom} == "" ]] && [[ ${type} == "NETMAP" ]]) && \
  472. ${display} RED "nat.conf: Error - NETMAP rule can not have empty custom address: ${DEFAULT_COLOR}${type} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress} ${custom}" \
  473. && continue
  474. ([[ ${custom} != "" ]] && [[ ${type} == "NETMAP" ]]) && custom="--to ${custom}"
  475. ([[ ${dstaddress} != "-" ]] && [[ ${type} == "NETMAP" ]]) && dstaddress="-d ${dstaddress}"
  476. # If we use a source interface, the rule can't go in a POSTROUTING table like what NAT is, so we punt it to PREROUTING
  477. # or it won't work. Plus we remove the destination interface too.
  478. ([[ ${srcinterface} != "-" ]] && [[ ${type} != "SNAT" ]]) && NAT="PREROUTING" && dstinterface="-" && srcinterface="-i ${srcinterface}"
  479. #[[ ${srcinterface} != "-" ]] && NAT="PREROUTING" && dstinterface="-" && srcinterface="-i ${srcinterface}"
  480. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR}${direction} ${action} ${srcinterface} ${srcaddress} ${srcport} ${dstinterface} ${dstaddress} ${dstport} ${protocol} ${custom}"
  481. # Blank variables that we're not going to use.
  482. [[ ${srcinterface} == "-" ]] && srcinterface=""
  483. [[ ${dstinterface} == "-" ]] && dstinterface=""
  484. [[ ${dstaddress} == "-" ]] && dstaddress=""
  485. [[ ${srcaddress} == "-" ]] && srcaddress=""
  486. [[ ${custom} == "-" ]] && custom=""
  487. ${VER_IPTABLES} -A ${NAT} -t nat ${srcinterface} ${srcaddress} ${action} ${dstinterface} ${dstaddress} ${custom}
  488. #${VER_IPTABLES} -A ${FwdFilter} ${M_STATE} ${C_STATE} RELATED,ESTABLISHED,NEW ${srcinterface} ${srcaddress} ${dstinterface} -j ACCEPT
  489. #${VER_IPTABLES} -A ${FwdFilter} ${M_STATE} ${C_STATE} RELATED,ESTABLISHED ${revsrcinterface} ${revsrcaddress} ${revdstinterface} -j ACCEPT
  490. unset type srcinterface srcaddress dstinterface dstaddress custom
  491. done < "${FWCONFIGDIR}/ipv${IPVER}/nat.conf"
  492. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  493. fi
  494. }
  495. function enable_services {
  496. IP_VERSION=$1
  497. case $IP_VERSION in
  498. ipv6) VER_IPTABLES=${IP6TABLES};
  499. IPVER="6" ;;
  500. ipv4|*) VER_IPTABLES=${IPTABLES}
  501. IPVER="4" ;;
  502. esac
  503. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  504. if [ -e "${FWCONFIGDIR}/ipv${IPVER}/services.conf" ]; then
  505. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/services.conf successful"
  506. while read -r service protocol interface address srcaddress; do
  507. use_conntrack="no"
  508. ([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} NEW"
  509. ([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} NEW"
  510. multiport="no"
  511. [[ ${service} = \#* ]] && continue
  512. [[ -z ${service} ]] && continue
  513. [[ ${service} == "-" ]] \
  514. && ${display} RED "service.conf: Error - must begin with service name or port number: ${DEFAULT_COLOR}${service} ${protocol} ${interface} ${address} ${srcaddress}" && continue
  515. [[ ${protocol} == "-" ]] \
  516. && ${display} RED "service.conf: Error - protocol can not be empty: ${DEFAULT_COLOR}${service} ${protocol} ${interface} ${address} ${srcaddress}" && continue
  517. [[ ${service} =~ (-|:|,) ]] && multiport="yes"
  518. # Do some creative work with variables to make building the iptables rules fairly painless
  519. ([[ ${service} != "-" ]] && [[ ${multiport} != "yes" ]]) && service="--dport ${service}"
  520. ([[ ${service} != "-" ]] && [[ ${multiport} == "yes" ]]) && service="-m multiport --dports ${service}"
  521. [[ ${protocol} != "-" ]] && protocol="-p ${protocol}"
  522. [[ ${interface} != "-" ]] && interface="-i ${interface}"
  523. [[ ${address} != "-" ]] && srcaddress="-d ${address}"
  524. [[ ${srcaddress} != "-" ]] && srcaddress="-s ${srcaddress}"
  525. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Read: ${service} ${protocol} ${interface} ${address} ${srcaddress}"
  526. # Blank variables that we're not going to use.
  527. [[ ${interface} == "-" ]] && interface=""
  528. [[ ${address} == "-" ]] && address=""
  529. [[ ${srcaddress} == "-" ]] && srcaddress=""
  530. ${VER_IPTABLES} -A ${InFilter} ${protocol} ${service} ${interface} ${address} ${srcaddress} ${conntrack_state} -j ACCEPT
  531. unset service protocol interface address srcaddress conntrack_state
  532. done < "${FWCONFIGDIR}/ipv${IPVER}/services.conf"
  533. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  534. unset service protocol interface address srcaddress
  535. fi
  536. }
  537. function enable_conntrack_int {
  538. IP_VERSION=$1
  539. case $IP_VERSION in
  540. ipv6) VER_IPTABLES=${IP6TABLES};
  541. IPVER="6" ;;
  542. ipv4|*) VER_IPTABLES=${IPTABLES}
  543. IPVER="4" ;;
  544. esac
  545. conntrack_int="$2"
  546. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  547. if [[ ${conntrack_int} == "all" ]]; then
  548. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Enabling conntrack on all interfaces"
  549. ${VER_IPTABLES} -A ${OutPreRules} ${M_STATE} ${C_STATE} ESTABLISHED,RELATED -j ACCEPT
  550. ${VER_IPTABLES} -A ${InPreRules} ${M_STATE} ${C_STATE} ESTABLISHED,RELATED -j ACCEPT
  551. ${VER_IPTABLES} -A ${OutPreRules} ${M_STATE} ${C_STATE} INVALID -j DROP
  552. ${VER_IPTABLES} -A ${InPreRules} ${M_STATE} ${C_STATE} INVALID -j DROP
  553. else
  554. for i in ${conntrack_int}; do
  555. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Enabling conntrack on ${i}"
  556. ${VER_IPTABLES} -A ${OutPreRules} -o ${i} ${M_STATE} ${C_STATE} ESTABLISHED,RELATED -j ACCEPT
  557. ${VER_IPTABLES} -A ${InPreRules} -i ${i} ${M_STATE} ${C_STATE} ESTABLISHED,RELATED -j ACCEPT
  558. ${VER_IPTABLES} -A ${OutPreRules} -o ${i} ${M_STATE} ${C_STATE} INVALID -j DROP
  559. ${VER_IPTABLES} -A ${InPreRules} -i ${i} ${M_STATE} ${C_STATE} INVALID -j DROP
  560. done
  561. fi
  562. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  563. }
  564. function enable_portfw {
  565. IP_VERSION=$1
  566. case $IP_VERSION in
  567. ipv6) VER_IPTABLES=${IP6TABLES};
  568. IPVER="6" ;;
  569. ipv4|*) VER_IPTABLES=${IPTABLES}
  570. IPVER="4" ;;
  571. esac
  572. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  573. if [ -e "${FWCONFIGDIR}/ipv${IPVER}/portfw.conf" ]; then
  574. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/portfw.conf successful"
  575. while read -r service protocol intip intport interface address srcaddress; do
  576. use_conntrack="no"
  577. ([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} NEW"
  578. ([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} NEW"
  579. [[ ${service} = \#* ]] && continue
  580. [[ -z ${service} ]] && continue
  581. [[ ${service} == "-" ]] \
  582. && ${display} RED "service.conf: Error - must begin with service name or port number: ${DEFAULT_COLOR}${service} ${intip} ${intport} ${protocol} ${interface} ${address} ${srcaddress}" && continue
  583. [[ ${protocol} == "-" ]] \
  584. && ${display} RED "service.conf: Error - protocol can not be empty: ${DEFAULT_COLOR}${service} ${intip} ${intport} ${protocol} ${interface} ${address} ${srcaddress}" && continue
  585. # Do some creative work with variables to make building the iptables rules fairly painless
  586. # Although these next few rules seems like they duplicate some work, they
  587. # actually make handling later rules simpler even if we end up blanking
  588. # them yet again.
  589. [[ -z ${interface} ]] && interface="-"
  590. [[ -z ${address} ]] && address="-"
  591. [[ -z ${srcaddress} ]] && srcaddress="-"
  592. [[ ${service} != "-" ]] && service="--dport ${service}"
  593. [[ ${protocol} != "-" ]] && protocol="-p ${protocol}"
  594. [[ ${intip} != "-" ]] && intdest="--to-destination ${intip}:${intport}"
  595. [[ ${interface} != "-" ]] && interface="-i ${interface}"
  596. [[ ${intip} != "-" ]] && intip="-d ${intip}"
  597. [[ ${intport} != "-" ]] && intport="--dport ${intport}"
  598. [[ ${address} != "-" ]] && address="-d ${address}"
  599. [[ ${srcaddress} != "-" ]] && srcaddress="-s ${srcaddress}"
  600. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Read: ${service} ${protocol} ${intip} ${intport} ${interface} ${address} ${srcaddress}"
  601. # Blank variables that we're not going to use.
  602. [[ ${interface} == "-" ]] && interface=""
  603. [[ ${address} == "-" ]] && address=""
  604. [[ ${srcaddress} == "-" ]] && srcaddress=""
  605. ${VER_IPTABLES} -A ${PortForward} -t nat ${protocol} ${service} ${interface} ${address} ${srcaddress} -j DNAT ${intdest}
  606. ${VER_IPTABLES} -A ${FwdFilter} ${interface} ${intip} ${protocol} ${intport} ${srcaddress} ${conntrack_state} -j ACCEPT
  607. unset service protocol intip intport interface address srcaddress conntrack_state
  608. done < "${FWCONFIGDIR}/ipv${IPVER}/portfw.conf"
  609. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
  610. fi
  611. }
  612. function enable_v6_critical_icmp {
  613. VER_IPTABLES=${IP6TABLES}
  614. ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
  615. ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 1 -j ACCEPT
  616. ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 2 -j ACCEPT
  617. ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 3 -j ACCEPT
  618. ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 4 -j ACCEPT
  619. ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 133 -j ACCEPT
  620. ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 134 -j ACCEPT
  621. ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 135 -j ACCEPT
  622. ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 136 -j ACCEPT
  623. ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 137 -j ACCEPT
  624. ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 141 -j ACCEPT
  625. ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 142 -j ACCEPT
  626. ${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 130 -j ACCEPT
  627. ${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 131 -j ACCEPT
  628. ${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 132 -j ACCEPT
  629. ${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 143 -j ACCEPT
  630. ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 148 -j ACCEPT
  631. ${VER_IPTABLES} -A ${v6ICMP} -p ipv6-icmp --icmpv6-type 149 -j ACCEPT
  632. ${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 151 -j ACCEPT
  633. ${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 152 -j ACCEPT
  634. ${VER_IPTABLES} -A ${v6ICMP} -s fe80::/10 -p ipv6-icmp --icmpv6-type 153 -j ACCEPT
  635. }